A Brief History of Personal Data Collection in Lebanon

In December 2017, the Lebanese Ministry of Telecommunications, headed by Minister Jamal Jarrah, started taking steps to mandate biometric registration of prepaid SIM cards, allegedly for security reasons. The proposal to register SIM cards with biometric data was announced without providing a policy assessment to the public, or conducting a threat assessment and mitigation plan with regard to potential breaches. Moreover, the ministry did not address any of the potential negative repercussions that could stem from the creation of a mandatory nationwide registration system, such as placing unreasonable barriers to accessing mobile communication tools. We are also not aware if the ministry considered the human rights issues that could arise from the establishment of a registration system with biometric information.

While the political climate allows the implementation of such projects with little public debate and even less transparency, SMEX is concerned by the Lebanese government’s growing collection of biometrics and other personal data in theabsence of a strong legal framework that regulates the collection, processing, and storage of such data. The unique, permanent, and sensitive nature of biometric data renders its collection without any regulations, or safeguards particularly worrisome for privacy and other human rights.

The Lebanese state’s adoption of biometrics started in February 2015 after it awarded Inkript, in conjunction with Gemalto, a contract to convert Lebanese passports to biometric ones. The collection of biometrics since has not been limited to Lebanese citizens. In April 2017, the General Security announced that it will start issuing temporary biometric residence permits for Arab and foreign nationals.

The creation of a biometric system that can identify and verify individuals’ identities and other forms of personal data is occurring alongside the establishment of a mass surveillance apparatus. In our 2016 mapping of the landscape of digital surveillance in Lebanon, we found that a number of security agencies have acquired mass surveillance technologies that allow them to surveil and monitor online communications. In addition, over the past four years, the Lebanese Cabinet has granted a number of security agencies complete access to all telecommunications data.

The Lebanese state has the ability to combine these systems to implement biometric surveillance. Research by theSociety on Social Implications of Technology found that the “mere threat of widespread biometric surveillance could interfere with rights beyond privacy, such as the right to political expression or association.”

Beyond the absence of a robust legal framework for the protection of personal data and privacy rights, SMEX is troubled by the political and social implications of a surveillance infrastructure that allows those with legal or illegal access to it to detect, monitor, and track virtually anyone in the country — from following them from their point of entry into the country, tracking them on the street through license plate recognition software, to cataloging their internet browsing and consumption habits, and accessing their telecommunications data.

As the Electronic Transactions and Personal Data Protection draft law is currently under review by a subcommittee formed by the joint parliamentary committees, we urge respect for the rights to privacy, association, and expression, and ask the parliament to take into account international guidelines and best practices on data protection.